One-time passwords for shell access

From BubbaWiki
Jump to: navigation, search

If you are an avid Unix shell user, you will like the Excito devices for their openness - openness in the good sense, meaning that the device offers full access to the whole power of Unix.

Actually, by using an SSH client, you may log in to your device from all over the world (sequentially, of course). This poses two challenges:

  1. You must use a good, strong password, impossible to guess, entirely secret.
  2. You must keep that password secret. Secret, that is, from prying eyes, like the stranger in your favourite Internet café. Not always is this as easy as it sounds (can you type while blindfolding your fellow man?), but there is even a greater threat: unsafe computers, deeply rotten with viruses, worms, keyloggers, and so on; and computers you deem safe, but that aren't.

One-time passwords (in short, OTP) are a means of addressing these issues. They are not perfect, but, when properly used, add an additional layer of security. As their name implies, they may be used only once. So, even if an eavesdropper watches (or logs) you entering your password, the password will not be of any use for him/her - it cannot be used a second time.

I like to combine my standard Unix password with one-time passwords. I do not consider (and would not recommend) to use one-time passwords as the only means of authentication, because many implementations are not that strong. But as an additional layer of security, even a weaker OTP will make things harder for an intruder.

There are lots of OTP solutions out there. One of the more recent developments is Google Authenticator (you might know that from Google's two-phase authentication). It is extremely easy to use with most Linux flavours like Debian (and the B3 is using Debian), but there is no ready solution for Debian Squeeze. So the easiest thing is to postpone using Google Authenticator until the next major B3 software release...

Fortunately, there is the time-honoured OPIE Authentication System that, though a bit old by still using MD5, is an excellent second layer of security, and it's extremely easy to install.

Very, very important notice
Keep an additional SSH connection to your B3, be sure that this connection will not time out, and be root in this shell. You will need this root shell in case of anything going wrong with setting up your OTP system. Remember, if your OTP system is half-configured, or set up improperly, you may not be able to log in again!

That being said, there are no external risks that can't be controlled. If you do everyting properly, more bluntly put: If you don't make any mistake, setting up OPIE is easy.

  1. Become the root user by executing the su command.
  2. Install the OPIE PAM package by executing the command apt-get install opie-server
  3. Open your SSH configuration file /etc/ssh/sshd_config, e.g. using the fabulous vi editor, and find the line containing the string ChallengeResponseAuthentication. Change this entry to ChallengeResponseAuthentication yes, and uncomment it by removing the leading "hash" character ("#").
  4. Restart your SSH daemon by issuing the command /etc/init.d/ssh restart. Don't be afraid - this will not terminate your existing shell sessions.
  5. Open the file /etc/pam.d/sshd using your favourite editor (I take it for granted that at this stage, vi has taken that role.)
  6. Right at the beginning of this file (or after the heading comment lines, but before any actual statements), add the entry auth required pam_opie.so
  7. Now, you will have to drop root privileges in this session by typing exit.
  8. Next, issue the command opiepasswd -c -f. It will ask you to set a password. This password should be different from any other passwords you are using.
  9. Write down the output of this command and store it in a very safe place. (The output looks somewhat like ID username OTP key is 499 co1234 and FREE TOOR RUIN JOB BRAKE). You will need the co1234 part (the seed) and/or the FREE TOOR RUIN JOB BRAKE part for requesting one-time passwords.
  10. Next, do request one-time passwords. That's done with the command opiekey -n 20 499 co1234 Here, 20 is the number of one-time passwords you would like to request (the less, the better, if you want to print the list and carry it with you - but don't request much less than five, that's my recommendation). co1234 is part of the output from the opiepasswd command above. The number 499 is the sequence number the password list shoud end with. You may leave this at 499 for the first run.

Now, when logging in to your B3, you will be presented a very cool prompt like otp-md5 477 co1234 ext, Response:. This means that you have to take your list of one-time passwords for seed co1234, find the password whose sequence number is 477, and enter it.

Next, your B3 will ask for your usual password. This step is less cool, but still mandatory.

If both credentials you entered are correct, your B3 will let you in. If either is wrong, you have to start the login process all over.

Do not forget to request a new list of one-time passwords before your list is exhausted. If you don't want to re-initialize OPIE for your account, you have to provide an appropriate sequence number. So, if your last key list consisted of the keys 461 to 499, your next key list should start with 460, because that's the key OPIE will ask you for when 461 has been consumed.

Note that each OPIE OTP is computed from the seed (in our example, "co1234"), from the OPIE password, and from the sequence number. Instead of carrying the OTP list with you, you may use an OPIE calculator, e.g. the command-line program opiekey. It won't help you on your B3, because you need the calculator in order to be able to log in, but the calculator on the B3 is only available if you are logged in to the B3, obviously... But if you are using a second Linux or Unix computer, you might want to install opiekey there. If it's a debianesque system, you can get your opiekey by executing apt-get install opie-client. The opiekey program expects two arguments: the sequence number (in our example, 499 and so on), and the seed (in our example, "co1234").

There's an OTP Calculator for Android devices, too (I tried it out, and it is working). For MacOS, there is SkeyCalc (this, too, is working perfectly).

For further reading, I recommend the excellent chapter on one-time passwords in the FreeBSD Handbook.